Cloud infrastructure has come a long way. Not that long ago, cloud hosting was thought to be risky and expensive. After all, why would you trust not just your own company data, but also the confidential client data you manage, with another company?
Nowdays, cloud infrastructure companies like Microsoft, Google, and Amazon have built secure, reliable and reputable frameworks that have earned the trust of businesses from financial services companies to law firms.
Many companies are hosting their systems and data on legacy on-premises infrastructure, debating whether they should take advantage of the benefits of cloud, or stick with the status quo. Here are some factors to consider when deciding whether to migrate to the cloud or stay on-prem.
5 key security considerations when evaluating cloud vs. on-premises infrastructure
For cloud and on-premises infrastructure, security considerations and controls are very similar. Both must protect sensitive data by controlling access, requiring multifactor authentication, ensuring proper system and network controls, encrypting data in transit and at rest, and providing monitoring, detection, and response capabilities, among multiple other security controls.
But one key advantage of cloud computing is that all reputable cloud infrastructure providers have experienced, dedicated security expertise and resources on hand to prioritize and implement security controls to maintain their cloud infrastructure. Cloud infrastructure companies have the budget and capacity to hire the best of the best in cloud security. They can and do invest the necessary resources since a robust security framework is table stakes for firms to use their products and services.
The higher investment is possible because multi-tenant cloud providers can also amortize security resource and control costs over hundreds or thousands of clients and customers, making their ability to provide comprehensive security much more cost-effective than doing it yourself.
1. Security responsibilities and shared security models
By definition, if you are on-premises, you own 100% of the tech stack. However, if you go with a cloud service provider, your firm is only responsible for system configuration and application-level security, while your service provider protects the physical systems and the networks up to the operating system level.
In other words, on-premises firms are responsible for security from top to bottom, across all layers of the tech stack. Infrastructure, platform and software-as-a-service vendors handle various levels of security in the tech stack.
For example, when a firm purchases Intapp products, Intapp takes on the system configuration and applicational software-level security controls to protect the client firm’s data. We deliver our solutions on a Microsoft Azure-based industry cloud, leveraging Microsoft’s physical systems, networking, and base-level machine security controls. However, the client firm still has some security control responsibility, primarily with regards to identity and access management, which remain largely up to the client.
When it comes to costs, the cloud infrastructure and the software provider split the cost (potentially over hundreds or thousands of clients) of maintaining the security of the infrastructure. For a firm building on-premises, they take on the entire cost of maintaining, upgrading, and executing their security controls and models.
2. Cloud security vs. on-premises security
Many firm decision-makers believe that their organizations have unique needs that require unique security controls that a cloud-hosting provider can’t offer. But the reality is, no firm has truly unique networking needs since all networks use the same IP protocol stack.
As an independent firm looking to maintain your own on-prem system, you likely have had a hard time competing for the resources and security experts to build and operate it. Perhaps the very largest law firms can recruit highly experienced teams, but most firms will struggle to get the right people to maintain, upgrade, and secure applications through an on-premises solution.
The bottom line is that the large cloud infrastructure providers are more secure. There hasn’t been any real network or system-level breach of any of the top five cloud infrastructure companies, as they have cornered the market with the best talent and security capabilities available.
3. Cost considerations of on-premises vs. cloud infrastructure
To put it bluntly, an on-premises infrastructure is not cheap. While it’s widely understood that there’s a high initial cost to build on-premises, there’s also a common misconception that maintenance costs will be lower. Regarding cloud hosting, there’s a similar misconception that while onboarding costs may be lower, the long-term subscription costs will be higher.
However, the truth is that an on-prem approach can be considerably more expensive overall. An on-premises deployment includes high costs not only for set-up, but also for staffing and retaining an expert team and maintaining and upgrading the system.
Another common pitfall: A firm hires an expert team to build them a system, but then those experts move on because they’re “builders,” not “maintainers.” The firm then struggles to maintain their highly customized on-premises products. On the other hand, cloud providers like Intapp can maintain the system and amortize over thousands of customers.
4. Security monitoring, incident response, and compliance requirements
When it comes to security monitoring and incident response, cloud deployment is hands-down the better option. Cloud providers look at threats holistically and can apply protections across the board for all of their clients. In addition, if they’re monitoring across many law firms and there’s a legal-specific security threat, the cloud provider can resolve the issue and apply it across all legal clients.
Here’s something else to consider: If a law changes, cloud providers have the resources and flexibility to make those changes across the board to alter the requisite business flow, so that all law firms are in compliance. But if a firm built a system five years ago based on different laws, that firm may not have the in-house expertise to easily or promptly make the change. There are risks to the firm, then, of breaching a security, legal, or regulatory requirement. A cloud provider gives firms the ability to keep up with industry requirements and changing regulations or compliance.
International firms with global offices that deploy on-premises infrastructure face an even greater security challenge: They have to manage varying security and compliance requirements across multiple regions. That can be very costly, as keeping up with ever-changing requirements around the world will likely require global security resources to ensure that the system is both secure and always up to date. While cloud providers also face this challenge, they have the dedicated capability to do this at a global scale. Again, it comes back to cost, scale, and security: An individual firm or smaller international firm with an on-prem system is going to have a less robust security program and security team, and therefore be more vulnerable to attack.
5. Security assessments, audits, and certification processes
Technically, on-premises firms do not require certifications, audits, or assessments as they take on the risk themselves — but they should still conduct regular audits and obtain relevant certifications. Widely accepted certifications, such as ISO27000 series and SOC 1 and 2, apply to both on-prem and cloud infrastructure. CSA STAR — along with U.S.-specific certifications for SaaS providers, like State Ramp and Fed Ramp — are more cloud-focused.
Although not mandatory, these certifications indicate a stronger security position and are valued by clients — particularly state funds and state governments, which may require them.
Cloud or on-prem: The final verdict
The final decision of whether to opt for cloud or stick with on-prem is an entirely individual choice. However, it’s clear that cloud infrastructure offers some clear advantages. The shift to cloud computing has become increasingly attractive as firms leverage the best in industry expertise and regulatory compliance — both critical elements for staying competitive in today’s fast-paced digital landscape. By embracing cloud solutions, firms can unlock new levels of efficiency, scalability, and innovation while helping to reduce costs and complexity.
Is your firm ready to make the move? Reach out to us to learn how Intapp can help your firm make the move to cloud.